Microsoft Entra ID

This guide walks you through how to configure Microsoft Entra ID (formerly known as Azure Active Directory) as a SAML IdP for RiskOS™ authentication.

Before you begin

You will need your socure_public_account_id, available in the RiskOS™ Dashboard on the Developer Workbench > API Keys page under the Customer ID section.

Set Up Single Sign-On (SSO) with Microsoft Entra ID

1. Configure SAML in Microsoft Entra ID

Follow these steps to create a SAML 2.0 integration in Microsoft Entra ID:

Log into your Entra ID account.
Go to Identity > Applications > Enterprise applications.
Click New application, then select Create your own application.
On the Create your own application page:
- Enter a name for your new application.
- Select Integrate any other application you don't find in the gallery.
Click Create. Once the application's Overview page appears, the application is successfully created.
Under Getting Started, click Set up Single Sign-On.
Under Basic SAML Configuration, click Edit.
On the Basic SAML Configuration page, enter the following values:

Property	Value
Identifier (Entity ID)	Enter one of the following: Sandbox environment: `https://riskos.sandbox.socure.com/saml2/socure_public_account_id` Production environment: `https://riskos.socure.com/saml2/socure_public_account_id`
Reply URL (Assertion Consumer Service URL)	Enter: `https://api-dashboardv2.socure.com/saml2/SSO`

Property

Value

Identifier (Entity ID)

Enter one of the following:

Sandbox environment: https://riskos.sandbox.socure.com/saml2/socure_public_account_id
Production environment: https://riskos.socure.com/saml2/socure_public_account_id

Reply URL (Assertion Consumer Service URL)

Enter: https://api-dashboardv2.socure.com/saml2/SSO

Click X to close the page.
Under Attributes & Claims, click Edit.
On the Attributes & Claims page, click Unique User Identifier (Name ID).
On the Manage Claim page:

Set Name identifier format to Email address.
Select Attribute as Source.
Set Source attribute to user.email.

Click Save.
On the Attributes & Claims page, go to Additional claims and update all claims to your SAML attributes.

2. Configure SAML attribute statements

When setting up attribute statements, ensure the following attributes are configured:

Name	Name Format	Value	Required?
`urn:oid:2.5.4.42`	Unspecified	`user.firstName`	Yes
`urn:oid:2.5.4.4`	Unspecified	`user.lastName`	Yes
`urn:oid:2.5.4.20`	Unspecified	`user.phoneNumber`	Yes
`urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress`	Unspecified	`user.email`	Yes
`https://dashboard.socure.com/attributes/role`	URI Reference	`String.join(",", appuser.RoleName)`	Optional

If you want to manage what role(s) a user should have when they access RiskOS, you will need to add a new custom attribute. Fill out the details of the new custom attribute as follows:

Data type: string array
Display Name: https://dashboard.socure.com/attributes/role
Variable Name: RoleName
Enum: Checked
Attribute Members:
Display name is flexible and can be defined as you prefer, however the value has to match a valid RiskOS™ role name.

The following table lists the valid role names available in RiskOS™:

Example Display Name	Value
Admin	administrator
Acc Owner	account owner
Dev	developer
Fraud Analyst	fraud analyst
Compliance Analyst	compliance analyst
Compliance Officer	compliance officer
Compliance Supervisor	compliance supervisor

📘
Note:
In future releases, RiskOS™ will support custom role names.

3. Send the SAML Metadata to Socure

Once the SAML app integration is created, generate the SAML metadata file and securely share it with Socure.

Steps to retrieve and send metadata:

From the side navigation menu, click Single sign-on.
Under SAML Signing Certificate, click Download to download the Federation Metadata XML.
Send the metadata file to Socure using a secure communication method.

Do not copy and paste just the X.509 certificate from the SAML Setup Instructions page. Socure requires the full SAML metadata file (XML format), which includes your entity ID, endpoints, and certificates. Be sure to download and share the complete metadata file.

📘
Important: Customers must provide two separate metadata files to Socure:

One for the RiskOS™ Sandbox environment

One for the RiskOS™ Production environment

After receiving your SAML metadata file, your Technical Account Manager will confirm when SAML is enabled for your account.

4. Test the integration

To test the SAML integration, go to the IdP Admin Console, create a user, assign Socure's RiskOS™ app to the user and assign role(s) via the custom RoleName SAML attribute. When the user launches the RiskOS™ app from the IdP dashboard, the following occurs:

The Users tab on the Users and Roles page in RiskOS™ is populated with the user's name, email address, and phone number. The user is assigned the role(s) specified in the RoleName custom SAML attribute. If role(s) is not assigned, the system will default to assigning Analyst role to the user.

5. Assign users to RiskOS™

If you are planning to manage role assignment to users and you have configured the custom SAML attribute for RoleName, you can assign role(s) to the user when assigning the application. If a role is not assigned, the system will default to assigning Analyst role to the user.

📘
Note:
RiskOS™ can have only 1 user assigned as Account Owner.
A role assigned to user is applicable in both Sandbox and Production. That is, if you assign a Developer role to a user, the user will have Developer role in both RiskOS Sandbox and RiskOS Production. In early 2026, we will be enhancing role-based access management to allow customers to assign roles by environment (e.g. assign [email protected] Administrator role only in Sandbox and assign only Developer role in Production).

📘
Note:
Users are required to re-authenticate every 12 hours by default; however, you can specify a shorter duration using the maxAuthenticationAge parameter for further security hardening.

Updated 2 months ago